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Abstract.  This  paper  considers  the  problem  of  checking  whether  an  organiza¬ 
tion  conforms  to  a  body  of  regulation.  Conformance  is  cast  as  a  trace  checking 
question  -  the  regulation  is  represented  in  a  logic  that  is  evaluated  against  an  ab¬ 
stract  trace  or  run  representing  the  operations  of  an  organization.  We  focus  on  a 
problem  in  designing  a  logic  to  represent  regulation. 

A  common  phenomenon  in  regulatory  texts  is  for  sentences  to  refer  to  others  for 
conditions  or  exceptions.  We  motivate  the  need  for  a  formal  representation  of 
regulation  to  accomodate  such  references  between  statements.  We  then  extend 
linear  temporal  logic  to  allow  statements  to  refer  to  others.  The  semantics  of  the 
resulting  logic  is  defined  via  a  combination  of  techniques  from  Reiter’s  default 
logic  and  Kripke’s  theory  of  truth. 

This  paper  is  an  expanded  version  of  [1]. 

1  Introduction 

Regulations,  laws,  and  policies  that  affect  many  aspects  of  our  lives  are  represented 
predominantly  as  documents  in  natural  language.  For  example,  the  Food  and  Drug  Ad¬ 
ministration’s  Code  of  Federal  Regulations  [2]  (FDA  CFR)  governs  the  operations  of 
American  bloodbanks.  The  CFR  is  framed  by  experts  in  the  field  of  medicine,  and  reg¬ 
ulates  the  tests  that  need  to  be  performed  on  donations  of  blood  before  they  are  used.  In 
such  safety-critical  scenarios,  it  is  desirable  to  assess  formally  whether  an  organization 
(bloodbank)  conforms  to  the  regulation  (CFR). 

There  is  a  growing  interest  in  using  formal  methods  to  assist  organizations  in  com¬ 
plying  with  regulation  [3-5].  Assisting  an  organization  in  compliance  involves  a  num¬ 
ber  of  tasks  related  to  the  notion  of  a  violation.  For  example,  it  is  of  interest  to  detect  or 
prevent  violations,  assign  blame,  and  if  possible,  recover  from  violations.  In  this  paper, 
we  focus  on  conformance  checking  which  involves  detecting  the  presence  of  violations. 

We  cast  conformance  checking  as  a  trace-checking  question.  The  regulation  is  trans¬ 
lated  to  statements  in  a  logic  which  are  evaluated  against  a  trace  or  run  representing  the 
operations  of  an  organization.  The  result  of  evaluation  is  either  an  affirmative  answer  to 
conformance,  or  a  counterexample  representing  a  subset  of  the  operations  of  the  orga¬ 
nization  and  the  specific  law  that  is  violated. 

*  This  research  was  supported  in  part  by  NSF  CCF-0429948,  NSF-CNS-0610297,  ARO 
W91  lNF-05-1-0158,  and  ONR  MURI N00014-07-1-0907. 
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There  are  two  important  features  of  regulatory  texts  that  need  to  be  accomodated 
by  a  representation  in  logic.  First,  regulations  convey  constraints  on  an  organization’s 
operations,  and  these  constraints  can  be  obligatory  (required)  or  permitted  (optional). 
Second,  statements  in  regulation  refer  to  others  for  conditions  or  exceptions.  An  orga¬ 
nization  conforms  to  a  body  of  regulation  iff  it  satisfies  all  the  obligations.  However, 
permissions  provide  exceptions  to  obligations,  indirectly  affecting  conformance.  Our 
formulation  of  obligations  and  permissions  follows  the  theory  of  Ross  [6],  and  we  will 
discuss  the  relationship  to  other  theories  (cf.  [7])  in  Section  3.1. 

The  central  focus  of  this  work  is  the  function  of  regulatory  sentences  as  conditions 
or  exceptions  to  others.  This  function  of  sentences  makes  them  dependent  on  others  for 
their  interpretation,  and  makes  the  translation  to  logic  difficult.  We  call  this  the  problem 
of  references  to  other  laws.  In  Section  2,  we  argue  that  a  logic  to  represent  regulation 
should  provide  mechanisms  for  statements  to  refer  to  others.  We  provide  motivation 
using  examples  from  the  FDA  CFR.  We  discuss  how  these  sentences  can  be  represented 
in  a  logic  without  references,  and  conclude  that  this  would  make  the  translation  difficult. 

We  then  turn  to  the  task  of  defining  a  logic  that  lets  statements  refer  to  and  rea¬ 
son  about  others.  In  Section  3.1,  we  define  a  trace  or  run-based  representation  for  the 
operations  of  an  organization,  and  a  predicate-based  linear  temporal  logic  (PredLTL) 
to  make  assertions  about  runs.  PredLTL  is  extended  to  express  two  kinds  of  normative 
statements  (obligations  and  permissions),  leading  to  a  formal  definition  of  conformance. 

In  Sections  3.2  and  3.3,  we  extend  PredLTL  to  allow  references  between  laws 
thereby  making  permissions  relevant  to  conformance.  Specifically,  we  introduce  an 
inference  predicate,  whose  interpretation  is  determined  by  inferences  from  laws.  The 
justifications  in  default  logic  [8]  can  be  cast  as  an  instance  of  this  predicate.  Default 
logic  has  been  used  in  computing  extensions  to  a  theory,  in  the  manner  of  logic  pro¬ 
grams  [9, 10].  In  conformance  checking,  we  need  to  separate  two  uses  of  statements: 
(a)  extending  a  theory  (the  regulation),  and  (b)  determining  facts  about  an  organization. 
This  separation  is  achieved  using  the  inference  predicate.  Statements  are  evaluated  us¬ 
ing  the  fixed  points  of  an  appropriate  function,  based  on  a  technique  used  in  Kripke’s 
theory  of  truth  [11]. 

An  axiomatization  is  discussed  in  Section  4.  And,  Section  5  concludes  with  a  dis¬ 
cussion  of  related  and  future  work. 


2  Motivation 

In  this  section,  we  argue  that  a  logic  to  represent  regulation  should  provide  a  mechanism 
for  sentences  to  refer  to  others.  We  discuss  shortened  versions  of  sentences  from  the 
CFR  Section  610.40,  which  we  will  use  as  a  running  example  throughout  the  paper. 
Consider  the  following  sentences: 

( 1 )  Except  as  specified  in  (2),  every  donation  of  blood  or  blood  component  must  be 
tested  for  evidence  of  infection  due  to  Hepatitis  B. 


(2)  You  are  not  required  to  test  donations  of  source  plasma  for  evidence  of  infection 
due  to  Hepatitis  B. 
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Statement  (1)  conveys  an  obligation  to  test  donations  of  blood  or  blood  component 
for  Hepatitis  B,  and  (2)  conveys  a  permission  not  to  test  a  donation  of  source  plasma 
(a  blood  component)  for  Hepatitis  B.  To  assess  an  organization’s  conformance  to  (1) 
and  (2),  it  suffices  to  check  whether  “All  non-source  plasma  donations  are  tested  for 
Hepatitis  B”.  In  other  words,  (1)  and  (2)  imply  the  following  obligation: 

(3)  Every  non-source  plasma  donation  must  be  tested  for  evidence  of  infection  due 
to  Hepatitis  B. 

There  are  a  variety  of  logics  in  which  one  can  capture  the  interpretation  of  (3),  as 
needed  for  conformance.  Now  suppose  we  have  a  sentence  that  refers  to  (1): 

(4)  To  test  for  Hepatitis  B,  you  must  use  a  screening  test  kit. 

The  reference  is  more  indirect  here,  but  the  interpretation  is:  “If  (1)  requires  a  test, 
then  the  test  must  be  performed  using  a  screening  test  kit”.  A  bloodbank  is  not  prevented 
from  using  a  different  kind  of  test  for  source  plasma  donations.  (4)  can  be  represented 
by  first  producing  (3),  and  then  inferring  that  (3)  and  (4)  imply  the  following: 

(5)  Every  non-source  plasma  donation  must  be  tested  for  evidence  of  infection  due 
to  Hepatitis  B  using  a  screening  test  kit. 

It  is  easy  to  represent  the  interpretation  of  (5)  directly  in  a  logic.  However,  (5)  has 
a  complex  relationship  to  the  sentences  from  which  it  was  derived,  i.e.,  (1),  (2)  and  (4). 
The  derivation  takes  the  form  of  a  tree: 


(3)  (4) 

(1)  (2) 


To  summarize,  if  one  wishes  to  use  a  logic  with  no  support  for  referring  to  other 
sentences,  derived  obligations  must  be  created  manually.  We  argue  that  the  manual  cre¬ 
ation  of  derived  obligations  is  impractical  in  terms  of  the  amount  of  effort  involved.  We 
give  two  (pragmatic)  reasons.  Eirst,  the  derived  obligation  can  become  very  complex. 
The  full  version  of  statement  (1)  in  the  CER  contains  six  exceptions,  and  these  excep¬ 
tions  in  turn  have  statements  that  qualify  them  further.  It  is  difficult  to  inspect  a  derived 
obligation,  and  determine  if  it  captures  the  intended  interpretation  of  the  sentences  from 
which  it  came.  Second,  references  between  laws  are  frequent,  amplifying  the  effort  in 
creating  a  logic  representation.  In  [12],  we  discuss  lexical  statistics  which  suggest  that 
references  are  a  common  way  of  establishing  relationships  between  sentences  in  the 
CER,  and  [13, 4]  point  out  their  frequency  in  other  bodies  of  regulation. 

We  advocate  an  approach  that  allows  us  to  introduce  references  into  the  syntax  of 
the  logic,  and  resolve  references  during  evaluation. 


3  Representing  Regulatory  Documents  in  Logic 

In  this  section,  we  extend  linear  temporal  logic  (LTL)  to  distinguish  between  obligations 
and  permissions,  and  allow  references  between  statements.  We  begin,  in  Section  3.1,  by 
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representing  a  bloodbank  as  a  run  or  trace.  LTL  is  extended  to  distinguish  between 
obligations  and  permissions,  leading  to  definitions  of  conformance.  We  then  extend  the 
logic  to  allow  sentences  to  refer  to  others.  Section  3.2  gives  an  informal  example-driven 
account,  and  Section  3.3  provides  a  formal  account.  The  complexity  of  conformance 
checking  is  examined  in  Section  3.4 

Sections  3.1  is  intended  as  background,  in  which  we  discuss  several  underlying 
assumptions.  Our  goal  is  to  focus  on  the  problem  of  references,  and  to  treat  the  repre¬ 
sentation  of  obligations  and  permissions  as  an  important  but  orthogonal  issue. 


3.1  Predicate-based  Linear  Temporal  Logic  (PredLTL) 

Representing  regulated  operations:  Given  the  need  to  demonstrate  conformance  to 
the  regulation  in  case  of  an  audit,  regulated  organizations  such  as  bloodbanks  keep 
track  of  their  operations  in  a  database,  for  example,  donor  information  and  the  tests  they 
perform.  Such  a  system  can  be  thought  of  abstractly  as  a  relational  structure  evolving 
over  time.  At  each  point  in  time  (state),  there  are  a  set  of  objects  (such  as  donations  and 
donors)  and  relations  between  the  objects  (such  as  an  association  between  a  donor  and 
her  donations).  The  state  changes  by  the  creation,  removal  or  modification  of  objects. 
We  represent  this  as  a  run. 

Definition  1  (A  Run  of  a  System).  Given  a  set  O  (of  objects)  and  countable  sets 
d>i,  (where  <Pj  is  a  set  of  predicate  names  of  arity  j),  a  run  of  a  system  R{0, 

<l>i, <Pn),  abbreviated  as  R,  is  a  tuple  (r,  tti,  ...,  7r„)  where: 

-  r  :  N  S  is  a  sequence  of  states.  N  is  the  set  of  natural  numbers,  and  S  is  a  set 
of  states. 

-  TTj  :  X  S  —>■  2^^  is  a  truth  assignment  to  predicates  of  arity  j.  Given  p  G 

we  will  say  thatp(oi, ...,  oj)  is  true  at  state  s  iff{oi, ...,  Oj)  G  t^jip,  s). 

Given  a  run  R  and  a  time  i  G  N,  the  pair  (R,  i)  is  called  a  point  (statements  in 
linear  temporal  logic  are  evaluated  at  points).  Given  the  predicate  names  (<?i, 
the  corresponding  space  of  runs  is  denoted  by  TZfbi, ...,  <?„),  abbreviated  as  TZ. 

Conceivably,  we  could  construct  a  state-transition  diagram  representing  all  possible 
behaviors  of  the  system  and  explore  conformance  from  the  model  checking  perspective 
(e.g.,  [14]).  We  chose  to  restrict  our  attention  to  traces  for  two  reasons.  First,  checking 
of  traces  is  easier  to  explain,  and  all  interesting  theoretical  and  algorithmic  aspects  that 
we  explore  in  this  paper  manifest  themselves  in  trace  checking.  Second,  many  parts 
of  the  operations  of  an  organization,  such  as  a  bloodbank,  do  not  involve  computers. 
A  complete  model  of  operations  has  to  include  a  model  of  human  users,  which  is  a 
research  problem  in  its  own  right  that  is  well  beyond  the  scope  of  this  paper.  However, 
if  a  finite-state  model  of  an  organization  can  be  created,  the  propositional  version  of  the 
logic  developed  here  can  be  adapted  to  work  with  available  model-checkers. 
Representing  the  regulation:  The  logic  that  we  define  in  this  section  is  a  restricted 
fragment  of  first-order  modal  logic.  The  restriction  is  that  we  allow  formulas  with  free 
variables,  but  no  quantification  over  objects.  Formulas  will  be  interpreted  using  the  uni¬ 
versal  generalization  rule,  i.e.,  over  all  assignments  to  free  variables.  The  restrictions 
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are  similar  in  spirit  to  the  logic  programing  approaches  to  regulation  [9, 10].  PredLTL 
is  less  expressive  than  the  variants  of  first-order  logic  used  by  [3,5].  However,  when 
references  are  added,  the  logic  becomes  more  expressive  than  first-order  logic  (Sec¬ 
tion  3.4). 

Definition  2  (Syntax).  Given  sets  , ...,  ’Pn  (of predicate  names)  and  a  set  of  variables 

X,  the  language  L{d>i, ...,  X),  abbreviated  as  L,  is  the  smallest  set  such  that: 

-  p(yi,...,yj)  e  L  where  p  S  <Pj  and  (yi,...,yj)  €  X\ 

-  If  ip  C  L,  then  C  L  and  C  L.  Ifp,  ip  G  L,  then  p  Atp  G  L. 

Disjunction  pV  ip  =  -^{^p  A  -•ip)  and  implication  p  ^  ip  =  -^p  V  t/i  are  derived 
connectives.  The  temporal  operator  is  understood  in  the  usual  way:  Up  (pi  holds  and 
will  always  hold  (globally)).  <>p  (p  will  eventually  hold)  is  defined  as  -^U^p. 

We  now  extend  the  syntax  to  express  normative  statements  in  a  body  of  regulation, 
by  distinguishing  between  obligations  and  permissions. 

Definitions  (Syntax  of  Regulation).  Given  a  finite  set  of  identifiers  ID,  a  body  of 
regulation  Reg  is  a  set  of  statements  such  that  for  each  id  G  ID,  there  exist  p,ip  G  L 
such  that  either:  id.o:  p  ip  G  Reg,  or  id.Tp:  p  ip  G  Reg 

id.o:  p  Ip  (id.p:  p  ip)  is  read  as:  “it  is  obligated  (permitted)  that  the  pre¬ 
condition  p  leads  to  the  postcondition  ip”.  The  distinction  between  preconditions  and 
postconditions  corresponds  to  the  distinction  between  input  and  output  in  input-output 
logic  [15]. 

Definition  4  (Semantics).  Given  a  run  R  =  (r,  tti,  ...,  7r„),  i  G  N,  p  G  L,  and  an 
assignment  v  :  X  ^  O,  the  relation  (R,  i,v)  \=  p  is  defined  inductively  as  follows: 

-  {R,fv)  \=  p{yi,...,yj)  iff{oi,...,Oj)  G  TTj(p,r{i))  where  Ok  =  v{yk)  if  yk  G  O. 

-  The  semantics  of  conjunction  and  negation  is  defined  in  the  usual  way. 

-  (R,  i,  v)  ^  Op  iff  for  all  k  >  i  :  (R,  k,v)  \=  p 

We  extend  the  semantic  relation  to  regulatory  statements.  We  take  ^  to  stand  for 
“conforms  to  ”: 

-  (R,  i,  v)  ^  id.o:  p  ip  iff  {R,  i,v)  \=  p  ^  ip  (^  is  implication) 

-  (R,  i,  v)  ^  id.p:  p  ip.  Runs  vacuously  conform  to  permissions.  Permissions  will 

become  relevant  when  references  from  obligations  are  present  (Section  3.2). 

Consider  again  our  example  from  Section  2.  We  use  three  predicates  defined  as 
follows.  d(x)  is  true  iff  a;  is  a  donation.  sp(x)  is  true  iff  x  consists  of  source  plama. 
test(x)  is  true  iff  x  is  tested  for  Hepatitis  B.  Statement  (3)  is  represented  as: 

3.o:  d{x)  A  -<sp{x)  ^  C’test(x) 

Statement  (2)  is  be  represented  as:  2.p:  d(y)  A  sp{y)  ^  -^Otest(y).  However, 
statement  (1)  cannot  be  represented  directly. 

We  will  now  define  conformance,  and  then  discuss  the  various  definitions  in  the 
context  of  related  work.  Given  a  run  R,  let  V  (R)  denote  the  set  of  variable  assignments. 
Conformance  is  defined  using  the  notion  of  validity.  A  formula  p  is  valid  at  the  point 
(R,  i),  denoted  (R,  i)  \=  p,  iff  for  all  f  G  C (R):  (R,  i,  v)  \=  p.  A  formula  p  is  valid 
on  R  iff  it  is  valid  at  all  points,  that  is,  R  \=  p  iff  for  alii  G  N  :  (R,  i)  \=  p. 


6  Nikhil  Dinesh,  Aravind  Joshi,  Insup  Lee,  and  Oleg  Sokolsky 

Definition  5  (Run  Conformance).  Given  a  body  of  regulation  Reg  and  a  run  R  rep¬ 
resenting  the  operations  of  an  organization,  we  say  that  R  conforms  to  the  regulation 
iff  for  all  obligations  id.o:  (p  ip  G  Reg,  we  have  R  ^  id.o:  (p  ip. 

Discussion:  The  deontic  concepts  of  obligation  and  permission  are  treated  as  properties 
of  sentences.  Only  obligations  matter  for  conformance.  If  a  non-source  plasma  donation 
is  not  tested,  there  is  a  problem.  On  the  other  hand,  a  bloodbank  may  choose  to  test  a 
donation  of  source  plasma  or  not.  In  assessing  conformance,  the  function  of  a  permis¬ 
sion  is  to  serve  as  an  exception  to  an  obligation,  and  in  this  indirect  manner  it  becomes 
relevant.  We  will  give  a  semantics  to  this  function  of  permissions  in  Section  3.2.  Such 
a  treatment  of  permissions  has  its  basis  in  the  legal  theory  of  Ross  [6]. 

Ross’  approach  to  permission  is  by  no  means  the  only  one.  Theories  have  distin¬ 
guished  between  various  kinds  of  permission  (cf.  [7]),  the  most  common  distinction 
being  that  of  positive  and  negative  permission.  We  discuss  the  analysis  by  Makinson 
and  van  der  Torre  [16].  v?  is  said  to  positively  permitted  iff  it  is  explictly  permitted  by 
the  laws,  and  p  is  negatively  permitted  iff  it  is  not  forbidden.  The  key  issue  is  whether 
positive  permissions  can  give  rise  to  violations.  In  regulations  phrased  exclusively  in 
terms  of  permissions,  it  is  desirable  to  say  that  if  p  denotes  a  “relevant"  condition 
which  is  not  explicitly  permitted,  then  it  should  not  hold  in  conforming  implementa¬ 
tions.  While  this  has  been  analysed  as  a  property  of  permission,  following  Ross,  we 
take  such  violations  as  arising  from  an  implicit  obligation,  i.e.,  the  italicized  clause. 
This  implicit  obligation  can  be  represented  using  the  techniques  we  discuss  in  Section 
3.2,  provided  that  the  relevance  of  the  condition  is  known. 

In  the  formulation  here,  obligations  and  permissions  are  top-level  operators  and 
cannot  be  negated.  This  restriction  can  be  removed  by  treating  obligation  and  permis¬ 
sion  as  KD  modalities  (c.f.  [17]),  and  using  a  many-valued  interpretation  to  decide  if  a 
run  belongs  to  the  set  of  ideal  runs.  However,  we  avoid  this  to  simplify  presentation.  A 
more  crucial  restriction  is  that  iterated  deontic  constructs  cannot  be  expressed  directly, 
i.e.,  sentences  of  the  form  “required  to  allow  x”  or  “allowed  to  require  x.”.  One  has  to 
decide  what  top-level  obligations  or  permissions  are  implied  by  these  constructs.  To  our 
knowledge,  handling  iterated  constructs  is  an  open  problem  in  deontic  logic  [18]. 


3.2  References  to  Other  Laws  -  An  Informal  Description 

In  this  section,  we  give  an  informal  account  of  reference  logic  (RefL),  which  is  used 
to  handle  references.  We  extend  the  syntax  of  PredLTL  with  an  inference  predicate 
byid(</j),  where  Id  is  a  set  of  identifiers.  byid(</3)  is  read  as  “by  the  laws  in  Id,  p  holds”. 
There  are  two  restrictions:  (a)  (/?  is  a  statement  in  PredLTL  (Definition  2)  and  (b)  the 
predicate  byid((/5)  can  appear  only  in  preconditions  of  laws.  These  restrictions  are  sim¬ 
ilar  to  those  that  apply  to  justifications  in  default  logic  [8]. 

Consider  again  our  example  statements  (1)  and  (2),  which  are  represented  in  RefL 
as  follows: 


-  l.o:  d{x)  A  “'by{2}(‘p(a:))  Otest{x),  and 

-  2.p:  d{y)  A  sp{y)  ^  -•Otest{y) 
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In  the  obligation  above,  the  subformula  by{2}(</5(a^))  is  understood  as  “by  the  law  (2) 
the  formula  ‘p{x)  holds”.  It  remains  to  define  the  formula  ip{x).  Intuitively,  this  should 
be  the  negation  of  the  postcondition  of  (1).  In  other  words,  if  ^Otest{x)  follows  from 
(2),  then  the  postcondition  of  (1)  need  not  hold.  This  gives  us: 

l.o:  d{x)  A  -'by{2}(“'^tesf(a:))  Otest{x) 

We  interpret  the  predicate  by{2}(“'^tesf(a;)),  by  letting  formulas  have  output.  In 
other  words,  when  the  precondition  of  an  obligation  or  permission  is  true  at  a  point,  the 
point  is  annotated  with  the  postcondition. 


Time 

Objects 

Predicates 

Annotations 

1 

Ol 

d(oi),  sp(oi),  ^test(oi) 

2:  ^Otest(oi) 

2 

Ol 

d(oi),  sp(oi),  ^test(oi) 

2:  ^Otest(oi) 

02 

d(o2),  -<sp(o2),  -<test(o2) 

1:  Otest{o2) 

3 

Ol 

d(oi),  sp(oi),  test(oi) 

2:  -i<>test{oi) 

02 

d(o2),  -<sp(o2),  -<test(o2) 

1:  Otest{o2) 

Table  1.  A  run  and  its  annotations 


Table  1  shows  a  run  of  a  bloodbank  augmented  with  annotations.  First,  an  object 
oi  is  entered  into  the  system.  oi  is  a  donation  of  source  plasma  ((i(oi)  and  sp(oi)  are 
true).  When  a  donation  is  added,  its  test  predicate  is  initially  false.  Then,  an  object  02 
is  added,  which  is  a  donation  but  not  of  source  plasma.  In  the  third  step,  the  object  oi 
is  tested.  At  this  point,  unless  the  run  is  extended  to  test  02  as  well,  it  does  not  conform 
with  the  regulation.  We  now  discuss  how  the  annotations  are  arrived  at  and  used  to 
assess  the  regulation. 

We  begin  by  defining  an  annotation.  Given  a  run  R,  an  assignment  v  €  V (R),  and 
(fi  G  L,  v{ip)  is  the  formula  obtained  by  replacing  all  variables  x  by  the  unique  name  for 
the  object  v{x).  We  assume  that  all  variables  are  free.  Note  that  v{(p)  is  equivalent  to 
a  propositional  LTL  formula,  as  the  variables  have  been  replaced  by  constant  symbols. 
An  annotation,  id:  v{ip),  is  a  propositional  LTL  formula  associated  with  an  identifier. 

Given  a  point  {R,  i)  and  an  assignment  v  €  V(R),  first  we  consider  the  permission 
2.p:  d(y)  A  sp(y)  ^  -'Otest(y).  If  (R,i,v)  ^  d(y)  A  sp(y),  then  (R,i)  is  annotated 
with  2:  v{^Otest{y)).  Otherwise,  there  is  no  annotation. 

Since  the  precondition  of  statement  (2)  is  true  for  the  assignment  of  y  to  oi,  we 
have  the  annotation  2:  -^Otest{oi)  at  all  points.  However,  since  02  is  not  a  donation  of 
source  plasma,  there  is  no  correponding  annotation. 

Now  consider  the  formula  by{2}  {^Otest{x)).  This  is  evaluated  as  follows.  We  eval¬ 
uate  2.p:  d{y)  A  sp{y)  ^Otest{y)  at  (i?,  i)  w.r.t.  all  variable  assignments.  Let  ip2  be 
the  conjunction  of  the  annotations  produced  by  the  formula  for  (2). 

{R,i,v)  ^  by|2}(^Ofesf(a;))  iff  ^  1/^2  =>  v{^Otest{x)) 

Notice  that  this  requires  a  validity  check  in  propositional  LTL,  which  can  be  decided 
in  space  polynomial  in  the  size  of  the  formula  [19]. 
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Returning  to  the  run  in  Table  1,  the  states  are  annotated  with  2:  -^Otest{oi)  and  |= 
-iOtest(oi)  =>  -^Otest{oi),  since  ip  ^  ip  is  a  propositional  tautology.  So  {R,  i,  v)  ^ 
by{2}(^^tesi(a;))  when  r;(a;)  =  oi. 

We  can  evaluate  l.o:  d{x)  A  -iby{2}(^^^esi(a;))  ^  Otest{x)  similarly  by  an¬ 
notating  states  with  Otest{x)  if  the  precondition  holds.  In  Table  1,  this  results  in  an 
annotation  of  1:  Otest{o2)  on  the  appropriate  states.  If  02  is  never  tested,  the  run  will 
be  declared  non-conforming  (by  Definition  5),  but  the  annotation  will  remain.  This  lets 
a  law  which  depends  on  (1)  draw  the  correct  inference. 

3.3  Reference  Logic  (RefL) 

The  semantic  evaluation  outlined  in  Section  3.2  works  only  when  the  references  are 
acyclic,  since  an  order  of  evaluation  needs  to  be  defined.  To  handle  cycles,  we  adopt 
a  fixed-point  technique  from  Kripke’s  theory  of  truth  [11].  The  idea  is  to  move  to  a 
three-valued  logic  where  the  third  (middle)  value  stands  for  ungrounded.  Initially,  all 
statements  are  ungrounded  and  there  are  no  annotations.  Using  an  inflatonary  function, 
we  add  annotations  until  a  fixed  point  in  reached.  In  this  section,  we  define  this  in¬ 
flationary  function  and  show  that  it  has  least  and  maximal  fixed  points.  We  begin  by 
extending  the  syntax  described  in  Section  3.1: 

Definition  6  (Syntax  of  Preconditions).  Given  sets  (of predicate  names),  a 

set  of  variables  X,  and  a  finite  set  of  identifiers  I D,  the  language  L'(<Pi,  ID), 

abbreviated  as  L' ,  is  the  smallest  set  such  that: 

-  p{yi,  ...jyj)  G  L'  where  p  G  and  [yi,  ■■■,yj)  G  XK 

-  If  p  G  L' ,  then  G  L'  and  G  L' .  If  p,  ip  G  L' ,  then  p  Aip  €  L' 

-  If  Id  C  ID  and  p  G  (Definition  2),  then  byid(<y3)  G  L' 


The  syntax  of  regulatory  statements  (Definition  3)  is  modified  so  that  the  precondi¬ 
tions  of  laws  are  statements  from  L'.  We  use  id.x  :  p  ip  to  stand  for  a  normative 
statement  (either  obligation  or  permission).  We  now  define  an  annotation: 

Definition  7  (Annotation).  Given  a  run  R,  a  set  of  identifiers  ID,  an  assignment 
V  G  V(R),  and  a  body  of  regulation  Reg,  an  annotation  is  a  statement  id:  v(ip) 
such  that  id  G  ID  and  id.x  :  p  ip  Reg.  The  set  of  annotations  is  denoted  by 
A{R,  ID,  Reg),  abbreviated  A. 

Definition  8  (Annotation  Function).  Given  a  run  R,  an  annotation  function  a  :  TV  — > 
2^  assigns  a  set  of  annotations  to  each  point.  We  use  a.Id{i)  to  denote  the  set  of 
annotations  id:  ip  G  a{i)  such  that  id  G  Id. 

We  will  formalize  the  semantics  using  the  fixed  point  technique  outlined  in  [11]. 
Before  we  turn  to  the  formal  definitions,  we  sketch  some  of  the  key  ideas  involved. 

Let  us  assume  as  given  a  run  R.  Statements  in  L'  and  Reg  are  divided  into  three 
classes  corresponding  to  true  (T(z,  v)),  false  (F(z,  v))  and  ungrounded  (U(i,  f))  w.r.t. 
the  time  i  €  N  and  assignment  v  €  V (R).  Intuitively,  U(z,  u)  is  the  set  of  statements 
that  are  waiting  for  the  evaluation  of  another  statement. 
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As  we  discussed  in  Section  3.2,  to  determine  whether  byid((/3)  S  T(z,  v),  we  need 
to  check  if  there  is  a  set  of  annotations  which  imply  v(ip).  We  construct  the  annotation 
function  a  such  that  for  all  assignments  v,  we  have  id:  €  a(i)  iff  (p  €  T(i,  v)  for 

some  id.x  :  ip  -ip  a  Reg  and  id  S  Id.  We  will  say  that  byid(</5)  C  T(z,  v)  only  if 
a.Id{i)  U  is  not  satisfiable. 

To  determine  whether  byid(</5)  C  F(f,u),  we  need  to  ensure  that  there  is  no  un¬ 
grounded  statement  that  could  make  it  true.  To  check  this  condition,  we  construct  the 
annotation  function  a'  such  that  id:  v{ip)  G  a'(i)  iff  p  G  T(i,  v)  U  U(z,  v)  for  some 
id.x  :  p  Ip  G  Reg  and  id  G  Id.  The  condition  for  falsity  w.r.t.  a'  is  simply  the 
negation  of  the  condition  for  truth  w.r.t.  a.  More  formally,  byid(</5)  C  F(z,  v)  only  if 
a' .Id{i)  U  {^(-K/?)}  is  satisfiable. 

When  there  are  circular  references,  one  cannot  always  evaluate  a  statement  to  be  true 
or  false.  The  Nixon-diamond  problem  (introduced  in  [8])  is  a  well-known  example.  We 
rephrase  it  in  “legalese”: 

(6)  Except  as  otherwise  specified,  Quakers  must  be  pacifists. 

(7)  Except  as  otherwise  specified.  Republicans  must  not  be  pacifists. 

These  statements  can  be  represented  in  RefL  as  follows: 

6.o:  q{x)  A  ^by{6,7}(“'P(a^))  ^  p{x),  and 

7.o:  r(a;)  A  ^by|6,7}(p(a;))  ^  -^p{x) 

Suppose  we  are  given  a  state  with  an  individual  n  (for  Nixon),  who  is  both  quaker 
and  republican,  i.e.,  q{n)  and  r{n)  hold.  How  should  we  evaluate  the  statements  above? 
[11]  suggests  two  answers  to  this  question:  (A)  The  statements  are  neither  true  or  false 
(they  are  ungrounded).  This  corresponds  to  skeptical  reasoning  in  non-monotonic  logic. 
(B)  Exactly  one  of  by{6,7}(p(t^))  and  byjs  7}(-ip(n))  is  true,  which  leads  us  to  con¬ 
clude  p{n)  (by  (6))  or  ^p{n)  (by  (7))  resply.  This  corresponds  to  credulous  reasoning 
in  non-monotonic  logic. 

In  the  semantics  we  give  below,  different  answers  correspond  to  different  fixed 
points.  We  refer  the  reader  to  [11]  for  examples  and  discussion  of  the  various  possi¬ 
bilities  with  regard  to  fixed  points.  The  choice  of  what  to  do  when  there  are  multiple 
fixed  points  depends  on  the  application,  and  we  discuss  this  issue  further  at  the  end  of 
this  section. 

Definition  9  (Evaluation).  Given  a  run  R  and  a  body  of  regulation  Reg,  an  evaluation 
is  a  tuple  E  =  (T,  F,  U),  where  T,  F  and  U  are  functions  of  the  form  N  x  V (R)  — > 
2^^,  where  L'^  =  Reg  U  L' .  Furthermore,  for  all  i  G  N  and  v  G  V {R),  we  have 
T(z,  v)  n  F(z,  v)  =%  and\J{i,  v)  =  2^^  —  (T(z,  v)  U  F(z,  v)). 

Given  an  evaluation  E,  as  is  the  annotation  such  that  for  all  i  G  N  and  id  G  ID, 
we  have  id:  v{tp)  G  aE{i)  iff  p  G  T(z,  z;),  where  id.x  :  p  ip  G  Reg.  Similarly,  a'^ 
is  the  annotation  such  that  id:  v{ip)  G  oi'^{i)  iffp  G  T(z,  v)  U  U(z,  v). 

Definition  10  (Consistent  Evaluation).  An  evaluation  E  is  consistent  iff  for  alii  G  N 
and  V  GV (R),  T(z,  v)  =  F(i,  v)  =  0,  or  T(i,  v)  andF(i,  v)  are  sets  such  that: 

1.  p{xi,...,Xj)  G  T{i,v)  iff{v{xi),...,v{xj))  G  7ry(p,r(z)) 

p{xi,...,Xj)  G  F{i,v)  iff{v{xi),...,v{xj))  ^  7rj(p,r(z)) 
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2.  If(j)  G  T(i,  v)  and  ip  G  T(i,  v),  then  <j)  A  ip  G  T(i,  v) 

If(pG  F(i,  v)  or-ip  G  F(i,  v),  then  (p  Aip  G  F(i,  v) 
and  similarly  for  negation  and  temporal  operators 

3.  Ifip  ^  Ip  G  T(i,  v),  then  id.o:  tp  ^  ip  G  T(i,  v) 

If  if  ^  Ip  G  F(i,  v),  then  id.o:  ip  ^  ip  G  F(i,  v) 

id.tp:  (p  ^  Ip  G  T(i,  v).  Runs  vacuously  conform  to  permissions. 

4.  If  hyid{ip)  G  T{i,v),  then  as.Idf)  U  is  not  satisfiable. 

^byid(‘/3)  G  F(i,z;),  then  a'^.Id{i)  U  is  satisfiable. 

The  set  of  all  consistent  evaluations  for  a  run  R  and  regulation  Reg  is  denoted  by 
£{R,  Reg),  abbreviated  £. 

Observe  that  in  consistent  evaluations,  if  byid(</5)  G  T(z,u),  then  aE-Idpi)  U 
is  not  satisfiable  (Clause  4  in  Definition  10).  The  converse  need  not  be  true. 

Definition  11  (Partial  Order).  Given  evaluations  Ei  =  (Ti,Fi,Ui)  and  E2  = 
(T2,F2,U2  ,  q;2).  we  say  that  Ei  <  E2  ijf for  all  i  G  N  and  v  G  V {R),  Ti(z,  v)  C 
T2(i,v)  andFi(i,v)  C  ¥2(1, v). 

The  pair  {£,  <),  where  £  is  the  set  of  consistent  evaluations  is  a  partially  ordered 
set  (poset). 

We  now  define  the  inflationary  function  whose  fixed  points  we  will  be  interested  in. 

Definition  12  (Infiationary  function).  Given  {£,  <),  the  function  T  :  £  ^  £  is  defined 
as  follows.  Given  a  consistent  evaluation  Ei  =  (Ti,Fi,Ui),  X{Ei)  is  the  smallest 
consistent  evaluation  E2  =  (T2,F2,U2)  such  that  Ei  <  E2,  for  all  i  G  N  and 
V  G  V (R),  T2(z,  v)  0,  F2(z,  v)  f  0,  and  E2  extends  Ei. 

We  say  that  E2  extends  Ei  iff  for  all  i  G  N  and  v  G  V  (R): 

If  oiEi{i)  U  is  not  satisfiable,  then  byid(</3)  G  T2{i,v) 

Ifa'^^{i)  U  is  satisfiable,  then  byid(<y3)  G  F2(z,u) 

In  the  rest  of  the  section,  we  show  that  I  is  well-defined,  and  has  maximal  fixed 
points  and  a  unique  least  fixed  point.  We  begin  by  observing  an  ordering  relation  be¬ 
tween  annotations  that  is  useful  in  subsequent  proofs: 

Proposition  1.  Given  consistent  evaluations  Ei  and  E2  such  that  Ei  <  E2,  and  a 
set  of  identifiers  Id  C  ID,  for  all  i  G  N,  we  have  aEi.Id{i)  C  aE^-Id)!)  and 
a'^^.Id{i)  PP  a'^^.Idf). 

The  proof  follows  easily  from  Definitions  9  and  1 1 .  We  now  show  that  T  is  well- 
defined: 

Proposition  2.  Given  {£,  <)  and  Ei  G  £,  let  £2  G  £  be  the  set  of  consistent  evalu¬ 
ations  such  that  E2  G  £2  iff  Ei  <  E2,  for  all  i  G  N  and  v  G  V(R),  T2(i,v)  f  0, 
F2(*,  v)  f  0,  and  E2  extends  Ei.  Then,  £2  has  a  smallest  element. 

Proof.  Given  Ei,  we  construct  the  evaluation  E2  such  that  for  alH  G  W  and  v  GV  (R): 
(p  G  T2(z,  v)  iff  ip  G  Ti(z,  v)  or: 
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-  (p  =  byid(^)  and  aEi-Id{i)  U  is  not  satisfiable. 

-  (f  =  (j)  A  tp  and  (j),xl}  €  T2{i,v).  Similarly  for  propositions,  negation  and  temporal 

operators 

F2(z,  v)  is  defined  similarly.  It  is  easy  to  see  that  Ei  <  E2,  E2  extends  Ei  and  the 
non-emptiness  condition  follows  from  the  existence  of  at  least  one  atomic  proposition. 
We  claim  that  E2  is  consistent  and  that  it  is  the  smallest  evaluation  with  the  requisite 
properties. 

Suppose  E2  is  not  consistent.  Consider  the  smallest  (p  which  violates  Definition  10. 
We  obtain  a  contradiction  for  each  clause  in  Definition  10.  The  only  non-trivial  case  is 
for  ip  =  byid(^),  for  which  there  are  two  cases. 

byid(^^’)  C  T2(z,u)  and  aE2-Id{i)  U  {u(-i(/))}  is  satisifiable.  By  Proposition  1, 
aEi-Id{i)  C  aE2-Id{i),  and  so  aEi-Id{i)  U  is  satisifiable  and  byid((p)  ^ 

Ti(z,u)  (since  Ei  is  consistent).  It  follows  from  the  construction  that  byid(</j)  ^ 
T2(z,  v)  giving  us  a  contradiction. 

byid(^^’)  S  F2(z,u)  and  a'^^.Id{i)  U  is  not  satisifiable.  By  Proposition  1, 

a'^^.Id{i)  D  a'^^.Id{i),  and  so  a'^^.Id{i)  U  {u(-'(/))}  is  not  satisifiable  and  byid(‘/3)  ^ 
Fi(z,z;)  (since  i?!  is  consistent).  It  follows  from  the  construction  that  byid(‘/3)  ^  F2(z,z;) 
giving  us  a  contradiction. 

We  now  show  that  E2  is  the  smallest  element  with  the  requisite  properties,  i.e.,  for 
all  E2  €  £2,  we  have  E2  <  i?2-  The  proof  is  similar  to  that  for  consistency.  Suppose, 
for  the  sake  of  contradiction,  there  exists  E2  €  £2  such  that  E2  =  (T2,  F2,  U2)  and 
E2  ^  i?2'  Consider  the  smallest  p  G  L+  such  that  there  exists  i  G  N  and  v  G  V  (i?), 
and  p  G  T2(z,z;)  —  T2(z,u)  01  p  G  ¥2(1,  v)  —  F2(z,z;).  Again,  the  only  non-trivial 
case  is  for  p  =  byid(^). 

Suppose  byid(((')  G  T2(z,  u)  —  T2(z,  u).  Since  <  i?2’ byid(<(')  ^  Ti(z,  u).  There 
are  two  cases.  If  aEi  ■Id{i)  U  {z;(-'(())}  is  not  satisfiable,  then  byid((/')  G  T2(z,  v)  (since 
E2  extends  Ei).  This  gives  us  a  contradiction.  If  .Id(i)U{v(-'^)}  is  satisfiable,  then 
byid(<(')  ^  T2(z,z;)  (by  construction).  Again,  we  have  a  contradiction.  So,  byid(((')  ^ 
T2(z,  v)  —  T2(z,  v).  The  other  cases  are  similar.  □ 

The  existence  of  fixed  points  is  established  using  Zorn’s  lemma,  which  applies  to 
chain-complete  posets.  Given  the  poset  (£,  <),  a  set  £'  C  £  is  called  a  chain  (totally 
ordered  set)  iff  for  all  £^2  G  £',  we  have  Ei  <  £2  or  £2  <  £i-  A  poset  is  chain 
complete  iff  every  chain  has  a  supremum.  We  now  show  that  (£,  <)  is  a  chain-complete 
poset: 

Proposition  3.  (£,  <)  is  a  chain-complete  poset. 

Proof.  Given  a  chain  £'  C  £,  consider  the  evaluation: 

Eg  =  (Ts,  Fg,  Ug),  where  for  all  z  G  A^,  u  G  F (£),  and  p  G 

-  p  G  Ts(z,  v)  iff  there  exists  £  =  (T,  F,  U)  G  £'  such  that  p  G  T(z,  v). 

-  p  G  Fs(z,  v)  iff  there  exists  £  =  (T,  F,  U)  G  £'  such  that  p  G  F(z,  v). 

Us(z,  v)  =  2^^  —  (Ts(z,  v)  U  Fs(z,  u)).  It  is  immediate  from  the  construction  that 
V£  G  £'  :  £  <  £s.  It  is  also  easy  to  see  that  if  Eg  is  a  consistent  evaluation,  then  it 
is  the  supremum  of  £' .  Thus,  it  suffices  to  show  that  Eg  is  consistent,  and  this  can  be 
established  by  an  argument  similar  to  the  proof  of  Proposition  2.  □ 
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Lemma  1  (Zorn  (c.f.  [20])).  Every  chain  complete  poset  has  a  maximal  element 

The  existence  of  maximal  fixed  points  is  immediate  from  Zorn’s  lemma  and  the  fact 
that  2  is  inflationary,  i.e.,  E  <  2{E).  Let  E*  be  a  maximal  element  in  £,  since  E*  is 
maximal  and  E*  <  2{E*)  it  follows  that  E*  =  2{E*). 

To  show  the  existence  of  a  least  fixed  point,  as  [11]  notes,  we  will  need  the  obser¬ 
vation  that  2  is  monotonic,  i.e.,  if  Ei  <  E2  then  2{Ei)  <  2{E2).  This  can  be  shown 
by  an  argument  similar  to  the  proof  of  Proposition  2.  With  monotonicity,  we  obtain  the 
following  corollary  to  Zorn’s  lemma: 

Corollary  1.  Given  Ei  G  £,  let  fj{Ei)  be  the  smallest  set  such  that:  (a)  Ei  in  £,  (b) 
if  E  £  cr{Ei)  then  2{E)  G  a{Ei),  and  (c)  if  C  C  a{Ei)  is  a  non-empty  chain,  then 
Esc  G  o'{Ei),  where  Egc  is  the  supremum  of  C  w.r.t.  £.  Then: 

-  <t{Ei)  is  a  chain  whose  supremum  is  a  fixed  point  of  2 

-  (j{Ei)  contains  a  unique  fixed  point 

-  If  El  <  E2,  then  Egi  <  Es2,  where  Egi  and  Es2  are  the  suprema  of  a{Ei)  and 
(t{E2)  resply.,  and 

-  2  has  a  unique  least  fixed  point. 


Proof  The  fact  that  <j{Ei)  is  a  chain  is  used  to  prove  Zorn’s  lemma,  and  we  refer  the 
reader  to  [20]  for  a  proof. 

Let  £'  =  a{Ei)  and  let  Es  be  the  supremum  of  S' .  Since  S'  contains  its  supremum 
Eg,  and  2{Es)  G  S'  (by  definition),  we  can  conclude  that  Es  =  2{Es). 

We  now  claim  that  Es  is  the  unique  fixed  point  in  S' .  Suppose  not.  Let  E  G  S'  he 
a  fixed  point.  Since  E  Es  and  Eg  is  the  supremum,  we  have  E  <  Eg.  Consider  the 
set  S"  such  that  for  all  E'  G  S' ,  E'  G  S"  iff  E'  <  E.  But  now,  Ei  G  S"  and  for  all 
E'  G  S" ,  we  have  2[E'')  G  S"  (for  if  not  E'  <  E  and  2{E)  <  2{E'),  contradicting 
the  monotonicity  of  2).  Given  a  chain  C  G  S" ,  since  for  all  E"  G  C,  we  have  E"  <  E, 
sup{C)  <  E  (by  defintion  of  supremum).  Since  S"  C  S' ,  we  have  a  contradiction  to 
the  minimality  of  S' .  Hence,  Es  is  the  unique  fixed  point  in  S' . 

Given  Ei  <  E2,  let  Esi  and  Es2  be  the  suprema  of  a{Ei)  and  a{E2)  resply.  We 
claim  that  Egi  <  Es2-  Suppose  not.  Consider  the  set  S"  C  a{Ei)  such  that  E'l  G  S" 
iff  E'l  <  Es2.  But  now,  Ei  G  S"  and  for  all  E'  G  S" ,  we  have  2{E')  G  S"  (for  if 
not  E'l  <  Es2  and  Es2  =  2{Es2)  <  I{Ei),  contradicting  the  monotonicity  of  I).  The 
presence  of  suprema  is  similarly  verified,  giving  us  a  contradiction  to  the  minimality  of 
a{Ei).  Hence  Egi  <  Es2- 

Finally,  let  E^  =  (To,Fo,Uo),  where  for  all  i  G  N,  v  G  V{R),  To(z,u)  = 
Fo(z,  v)  =  0,  and  Uo{i,  v)  =  2^  .  Observe  that  for  all  consistent  evaluations  E,  Eg  < 
E  and  hence  Eso  <  Es  where  Ego  and  Es  are  the  suprema  of  a{Eo)  and  a{E)  resply. 
Since  all  suprema  are  fixed  points,  Eso  is  the  least  fixed  point.  □ 

We  summarize  the  results  in  the  following  theorem,  which  provides  a  base  for  ex¬ 
tending  RefL  with  other  inference  predicates.  We  discuss  the  need  for  other  predicates 
below,  and  in  Section  5. 
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Theorem  1.  Given  the  poset  of  consistent  evaluations  {£,  <)  and  a  function  J  :  £  —>  £ 
which  is  inflationary  and  monotonic,  X  has  a  least  fixed  point  and  a  maximal  fixed  point. 


Discussion:  We  now  discuss  some  options  in  defining  conformance,  depending  on  the 
needs  of  the  application.  The  sections  of  the  FDA  CFR  that  we  have  examined  can  be 
formalized  so  that  there  is  a  unique  fixed  point,  and  conformance  is  simply  the  satisfac¬ 
tion  of  obligations  at  this  fixed  point. 

However,  examples  discussed  in  the  literature  suggest  that  it  may  not  be  desirable 
to  always  have  a  unique  fixed  point.  A  well-known  example  is  that  of  contrary-to-duty 
(CTD)  obligations  [21].  CTD  obligations  are  those  that  arise  when  other  obligations 
have  been  violated.  Prakken  and  Sergot  [17]  point  out  an  inflexibility  in  casting  CTD 
structures  as  an  instance  of  non-monotonic  reasoning.  We  outline  how  this  inflexibility 
can  be  avoided,  using  alternate  definitions  of  conformance.  Consider  the  following  ex¬ 
ample  from  [15]  (similar  to  one  in  [17]):  The  cottage  must  not  have  a  fence  or  a  dog.  If 
it  has  a  dog,  then  it  must  have  both  a  fence  and  a  warning  sign.  The  question  is  what 
are  the  obligations  when  the  cottage  has  a  dog.  We  discuss  two  possible  solutions. 

The  first  solution  is  to  treat  the  CTD  norm  as  an  exception  to  the  first: 

l.o:  “'by{2}(/  y  d)  -^{f  V  d)  and  2.o:  d'^  f  /\w 

The  propositions  /,  d  and  w  correpond  to  the  cottage  having  a  fence,  dog  and  warn¬ 
ing  sign  resply.  Since  there  is  a  dog,  the  precondition  of  the  second  law  is  true,  and 
this  leads  to  the  precondition  of  the  first  law  being  false.  So  if  /  A  tu  holds,  there  is  no 
violation.  However,  as  [17]  points  out,  it  may  be  useful  to  detect  that  the  situation  is 
worse  than  the  one  in  which  there  is  no  dog.  In  the  second  solution,  we  represent  the 
laws  as  excluding  each  other,  i.e.,  we  conjoin  “'by|i}(-i(/  A  w))  to  the  precondition  of 
the  second  law.  At  the  least  fixed  point,  both  obligations  are  ungrounded,  and  we  get 
two  maximal  fixed  points  -  one  in  which  -i(/  V  d)  is  obligated,  and  one  in  which  f  /\w 
is  obligated.  Since  d  holds,  there  is  a  violation  w.r.t.  the  former  fixed  point.  In  a  scenario 
where  there  is  no  dog,  a  unique  fixed  point  is  obtained. 

Our  analysis  of  CTD  structures  achieves  the  same  effect  as  the  analyses  in  [17, 
15].  However,  [17, 15]  characterize  the  CTD  norm  as  presupposing  the  violation  of  the 
other,  and  then  revising  the  situation.  In  future  work,  we  plan  to  investigate  predicates 
that  capture  this  presuppositional  analysis  more  directly. 

3.4  Complexity 

In  this  section,  we  discuss  upper  and  lower  bounds  for  the  complexity  of  conformance 
checking  w.r.t.  the  least  fixed  point.  Given  a  run  R  and  regulation  Reg,  we  say  that 
R  ^  Reg  iff  all  obligations  are  valid  in  R  at  the  least  fixed  point.  R  is  assumed  to  be 
finite  in  two  ways:  (a)  The  set  of  objects  O  is  finite,  and  (b)  There  exists  n,  such  that 
for  all  j  >  n,  r{n)  =  r{j),  i.e.,  R  eventually  reaches  a  stable  state. 

Lemma  2  (Upper  Bound).  Given  a  finite  run  R  and  regulation  Reg,  R  \=  Reg  can 
decided  in  EXPSPACE  (space  exponential  in  the  size  of  Reg) 

Proof,  (sketch)  Corollary  1  can  easily  be  turned  into  a  decision  procedure.  Given  an 
evaluation  E,  it  can  be  shown  that  E  andX(E)  agree  on  all  regulatory  preconditions  iff 
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E  is  a  fixed  point.  So  if  E  is  not  a  fixed  point,  there  exists  i  and  v  such  that  T{E)  has 
strictly  fewer  ungrounded  preconditions.  In  the  worst  case,  there  is  at  most  one  change, 
and  n  x  \Reg\  x  |I/|  steps  are  required  to  reach  a  fixed  point,  where  |t^|  is  the  number 
of  variable  assigments.  Note  that  \  V\  =  \0\^  where  O  is  the  set  of  objects  and  k  is  the 
largest  number  of  distinct  variables  appearing  in  a  regulatory  statement. 

To  apply  T  to  an  evaluation  E,  we  need  an  explicit  representation  of  the  annota¬ 
tion  function  aE  (for  the  satisfiablity  checks).  The  worst-case  size  of  the  satisfiability 
instances  is  \Reg\  x  |0|^.  Since  testing  satisifiablity  for  propositional  LTL  is  PSPACE- 
complete  [19],  applying  2  requires  EXPSPACE  (due  to  the  |0|^  factor).  We  note  that 
for  the  fragment  of  LTL  discussed  in  this  paper  (using  only  □  and  O)  satisfiability  is 
NP-complete  [19],  and  for  this  fragment  R  \=  Reg  can  be  decided  in  EXPTIME.  □ 

Lemma  3  (Lower  Bound).  Given  a  finite  run  R  and  regulation  Reg,  R  ]=  Reg  is  hard 
for  EXPTIME  (time  exponential  in  the  size  of  Reg) 

Proof  (sketch)  We  encode  formulas  in  first-order  logic  as  regulations.  Let  (p(xi , ...,  Xm) 
be  a  first-order  formula,  where  xi, ...,  Xm  are  free  variables.  If  p(xi, ...,  Xm)  contains 
no  quantifiers,  we  represent  it  by  a  permission: 

A<^.p:  (p{xi,  ...,Xm)  qip{xi,  ■■■,Xm),  where  q^(xi, Xm)  is  apredicate  symbol 
that  doesn’t  appear  in  ip(xi, Xm)-  E  is  easy  to  see  that  v{q^p(xi, Xm))  is  available 
as  an  annotation  iff  ip{xi, Xm)  is  true  w.r.t.  v. 

Eor  quantified  statements  we  proceed  inductively.  Given  3y  :  p{y,  xi, ...,  Xm),  we 
add  two  permissions: 

hy^p^^y{q,^(y,Xl,  ...,Xm))  q'{xi 

-B3y:c^.p:  hy^p^^^,^]{q'{xl,...,x^))  ^  q^ay.cpixi 

Observe  that  hy (xi , ...,  Xm))  is  true  w.r.t.  an  assignment  v  iff  v{q'{xi, ..., 
Xm))  is  available  as  an  annotation.  And,  v{q'{xi, ...,  Xm))  is  available  as  an  annotation 
iff  ^yid{ip){qviy ^  xi, Xm))  is  true  w.r.t.  some  variable  assignment  v'  that  is  identical 
to  V  except  for  y.  We  can  then  argue  inductively  that  v{qdy.ip{xi, ...,  Xm))  is  available 
as  an  annotation  iff  :  ip{y,xi,  ...,Xm)  is  true  w.r.t.  v. 

Given  Vy  :  (p,  we  use  the  equivalence  My  :  ip  =  Sy  :  and  proceed  as  before. 

To  complete  the  construction,  given  p{xi, ...,  Xm),  we  add  the  obligation: 
l.o:  ^by|A.^}(g<,,(a:i,...,a:™))  ^  _L. 

It  can  be  shown  that  a  run  with  a  single  state  conforms  to  the  regulation  iff  p  is 
valid  at  the  state.  Model-checking  for  first-order  logic  is  PSPACE-complete  (cf.  [22]). 
It  follows  that  computing  the  least  fixed  point  is  PSPACE-hard. 

In  encoding  first-order  formulas,  we  constructed  an  acyclic  regulation.  With  cir¬ 
cular  references,  one  can  encode  reachability  computations  which  cannot  be  directly 
expressed  in  first-order  logic:  l.p:  6{x,z)  V  {d{x,y)  A  by{i}((5+(y,  z)))  S~^{x,z) 

Here,  we  assume  that  each  point  in  a  run  encodes  a  graph.  The  edge  relation  is  given 
by  6,  and  <5+  represents  the  transitive  closure  of  S.  It  can  be  shown  that  at  the  least  fixed 
point  v{S~^(x,  z))  is  available  as  an  annotation  iff  there  is  a  path  from  v(x)  to  v(z).  We 
can  show  an  EXPTIME  lower  bound  by  a  reduction  from  first-order  logic  enriched  with 
a  least  fixed  point  predicate  (the  system  YE  in  [22]).  □ 


A  Default  Temporal  Logic  for  Regulatory  Conformance  Checking 


15 


4  Axiomatization 

As  we  discussed  in  the  proof  of  Lemma  3,  RefL  contains  first  order  logic  enriched  with  a 
least  fixed  point  predicate.  It  follows  from  results  in  [23]  that  the  validity  problem  is  77^ - 
hard,  and  as  a  result,  it  cannot  be  recursively  axiomatized.  We  focus  on  axiomatizing 
the  propositional  fragment. 

We  assume  as  given  a  fixed  finite  domain  of  quantification,  and  the  variables  are 
replaced  by  identifiers  for  domain  elements.  Given  a  set  of  identifiers  777,  a  proposi- 
tionalized  body  of  regulation  has  one  or  more  statements  of  the  form  id.x  :  (p  ip 
for  each  id  €  ID.  For  example,  the  presence  of  id.x  :  (pi  ipi  and  id.x  •.  (p2  ip2 
corresponds  to  different  assignments  to  the  variables. 

In  the  presence  of  multiple  fixed  points,  we  can  define  validity  w.r.t.  all  fixed  points, 
the  least  fixed  point  or  maximal  fixed  points.  Axiomatizing  validity  w.r.t.  the  least  or 
maximal  fixed  points  complicates  matters,  because  we  need  to  distinguish  between 
those  formulas  that  are  proved  using  facts  versus  those  that  are  proved  using  inferences. 
[24]  provides  an  axiomatization  of  these  three  notions  of  validity  for  default  logic,  by 
translating  the  default  rules  into  an  autoepistemic  logic.  While  it  may  be  possible  to 
adapt  the  translation  procedure  for  RefL,  we  focus  on  providing  a  more  direct  axioma¬ 
tization.  We  axiomatize  validity  w.r.t.  all  fixed  points,  and  leave  open  the  proof  theory 
for  other  notions  of  validity. 

This  section  is  organized  as  follows.  We  begin,  in  Section  4. 1 ,  by  discussing  axioms 
for  the  acyclic  fragment  of  RefL.  This  lets  us  clarify  the  central  issues,  while  avoiding 
complications  introduced  by  three-valued  reasoning.  We  then  turn  to  the  general  case. 
Since  we  have  a  three  valued  logic,  we  will  need  a  different  notion  of  implication. 
Section  4.2  gives  the  necessary  extensions  to  the  syntax  and  an  alternate  definition  of 
semantics  to  facilitate  the  proofs.  In  Section  4.3,  we  provide  an  axiomatization  using 
Fitting’s  sequent  calculus  [25].  Completeness  is  proved  in  Section  4.4.  We  conclude,  in 
Section  4.5,  with  example  derivations  that  help  clarify  the  definition  of  conformance, 
and  show  a  prototype  for  the  middle  value. 

4.1  The  Acyclic  Fragment 

In  this  section,  we  discuss  an  axiomatization  for  the  fragment  of  RefL  where  the  refer¬ 
ences  in  the  regulation  are  acyclic.  This  lets  us  obtain  a  unique  fixed  point,  and  restrict 
attention  to  two-valued  reasoning.  The  following  axioms  and  rules  characterize  propo¬ 
sitional  and  temporal  reasoning: 

A1  All  substitution  instances  of  propositional  tautologies 

A2  □(</?  ^  Ip)  ^  (□</?  ^  □t/’) 

A3  A 

R1  From  \~  ip  ^  ip  and  h  p,  infer  h  ip 
R2  From  h  p  infer  ^  Up 

We  characterize  the  inference  predicate  by  the  laws  it  refers  to.  To  axiomatize 
byid(<F),  we  need  to  reason  about  provability  in  the  language  L  (propositional  LTL). 
We  say  that  S  L  is  is  provable  (denoted  </?)  iff  it  is  an  instance  of  the  axioms 
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A1-A3,  or  follows  from  the  axioms  using  the  rules  R1  and  R2.  Crucially,  we  will  use 
the  negation  of  provability  in  the  premise  of  a  rule.  Similar  mechanisms  have  been  used 
to  axiomatize  default  logic,  e.g.,  in  [24],  satisfiability  is  used  in  the  premise  of  a  rule, 
and  in  [26],  a  modal  language  is  augmented  with  an  operator  for  satisfiability. 

We  begin  by  developing  some  notation.  Given  a  set  of  regulatory  statements  F  = 
{zdi.x  :  (pi  -ipi,  ...,idn-x  :  tpn  i^n],  let  Fp^e  =  Wi,  be  the  set  of  pre¬ 

conditions,  Fpost  =  {i^i,  ■■■,  V'n}  be  the  set  of  postconditions,  and  Fid  =  {idi, ...,  idn} 
be  the  set  of  identifiers.  Given  a  finite  set  of  formulas  F,  we  denote  the  conjunction  by 
/\  F.  The  conjunction  of  the  empty  set  is  identified  with  T  (a  tautology).  We  use  two 
rules  for  the  inference  predicate: 

R3  For  all  F  C  Reg  with  Fid  F  Id,  from  A  Fpost  ^  infer  F  f\  Fpre  byid(</)) 

R4  For  all  A  G  L',  if  for  all  F  C  Reg  with  Fid  Id,  either  I/l  A  Fpost  or 

F  ^  A  Fpre,  then  infer  F  A  =>  “'byid (</')■ 

Informally,  R3  says  that  byid((/')  is  true,  if  there  exists  a  set  of  laws  whose  post¬ 
conditions  imply  (j),  and  whose  preconditions  are  true.  R4  says  that  byid((/')  is  false,  if 
one  of  the  preconditions  is  false  for  all  sets  of  laws  whose  postconditions  imply  (f>.  In 
particular,  if  \/l  A  Fpost  for  all  appropriate  subsets,  then  F  T  “ibyid  (</'),  and 
using  Rl,  F  ^byid(^). 

The  rules  have  an  equivalent  axiomatic  characterization,  which  is  important  in  es¬ 
tablishing  completeness.  Given  cj)  €  L,  let  F(^id,<i>)  be  the  set  of  subsets  (F  C  Reg 
with  Fid  F  Id)  such  that  F  €  F  iff  \-l  /\  Fpost  =>  4>-  L^t  F(^jd^^)  be  the  set  such 
that  -^/\Fpre  F  F(^dd,<p)  iff  F  €  F(^dd,<j>)-  Finally,  let  A(^jd^^)  be  the  set  such  that 
A  Fpre  F  F\(/d,0)  iffFGF {Id,4>)- 

Proposition  4.  The  following  are  provable: 

F  l\F{id,4>)  =>  “'byid((/') 

2.  F  byid(^i')  =»  V  ^(id,4>) 

The  first  claim  is  an  immediate  consequence  of  R4.  And,  the  second  claim  follows  from 
the  first  by  propositional  reasoning.  It  is  easy  to  show  that  the  axioms  A1-A3,  together 
with  Proposition  4,  and  the  rules  Rl  and  R2  imply  the  rules  R3  and  R4.  The  inference 
predicate  behaves  like  a  modality: 

Propositions.  F  byid(<p  =>  A)  =>  (byid(<ys)  ^  byid(V')) 

We  will  prove  this  property  in  the  general  setting,  in  Section  4.3  (Proposition  1 1).  The 
axioms  and  rules  presented  here  extend  naturally  to  the  three-valued  setting.  We  begin 
by  extending  the  syntax  with  the  appropriate  implication  connective  for  a  three-valued 
logic.  We  give  an  alternate  definition  of  the  semantics,  to  facilitate  the  proofs. 

4.2  Syntactic  and  Semantic  Preliminaries 

We  will  need  two  extensions  to  the  syntax  of  L+ .  First,  we  add  constants  for  truth  values 
(T  =  {T,  ?,  ±}).  The  true  values  are  totally  ordered,  i.e.,  T  >?  >  ±.  Second,  we  add 
the  natural  implication  connective  ip  D  tp. 
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We  now  give  a  different  but  equivalent  definition  of  the  semantics,  to  facilitate  the 
proofs.  A  run  R  =  (r,  tt)  is  a  pair,  where  r  is  a  sequence  of  states,  and  tt  is  a  truth 
assignment  to  atomic  propositions.  Statements  in  L  (propositional  LTL)  are  evaluated 
at  points  (i?,  i).  We  define  val((/9,  R,  i)  inductively  as  follows: 

-  val(p,  i?,  f)  =  T  iff  p  €  7r(r(i)).  Otherwise,  ±. 

-  Conjunction  and  negation  are  defined  in  the  usual  way 

-  val((p  D  Ip,  R,  i)  =  t,  where  t  is  the  greatest  truth  value  such  that  val((/?,  R,i)  At  < 
va\{'tp,  R,  i).  Since  statements  in  L  are  two  valued,  (p  D  ip  =  (p  ^  ip. 

-  va\{Dip,R,i)  =  f\{val{(p,  R,  j)  \j  >  i} 

We  say  that  ip  €  L  is  valid  iff  for  all  points  {R,  i),  we  have  val(v3,  R,  i)  =  T. 
For  statements  in  L+,  in  addition  to  a  point  {R,  i),  we  need  two  annotation  functions 
(a,  a').  We  define  val(^a,a')  as  follows: 

-  val(Q,_Q/)  {t,  R,i)  =  t  fort  gT 

-  val(Q,_a/)(byid(</j),  i?,  i)  =  T  if  f\  a. I d{i)  D  is  valid 
val(Q,_„/)(byid(</5),  i?,  i)  =  1  if  f\a'  .Id{i)  D  (/J  is  valid 
val(a,a/)(byid((/3),  i?,  z)  =  -L  otherwise 

-  For  all  other  formulas  the  definition  is  as  before.  In  the  three-valued  setting  p  Z)  ip 
and  p  ^  Ip  are  not  identical. 

We  say  that  (a,  a')  is  a  fixed  point  for  a  run  R  iff  for  alH  C  TV  and  id.x  :  p  ip: 

-  id:  z/;  C  q;(z)  iff  val(Q,_„/)((^,  i?,  z)  =  T 

-  id:ip  G  q;'(z)  iff  val(a_Q,/)((/?,  i?,  z)  >  ? 

It  follows  that  for  all  i  G  N,  a{i)  C  a'{i).  We  now  define  satisfiability  and  validity 
at  a  point: 

-pis  satisfiable  at  {R,  i)  iff  R,i)  =  T  for  some  fixed  point  {a,  a') 

-  (p  is  valid  at  {R,  i)  iff  R,i)  =  T  for  all  fixed  points  {a,  a') 

Finally,  we  say  that  p  is  valid  iff  p  is  valid  at  all  points.  We  are  now  ready  to 
axiomatize  RefL. 

4.3  Sequent  Calculus 

We  use  Fitting’s  sequent  calculus  [25].  A  sequent  is  a  statement  of  the  form  F 
A,  where  F  and  A  are  finite  sets  of  implications.  A  sequent  is  valid  at  a  point  {R,  i) 
iff  for  all  fixed  points  {a,  a'),  either  val(Q,  a/)(Ar,  i?,  z)  T  for  some  X  G  F,  or 
val(Q,  Q,/)(Ar,  R,i)  =  T  for  some  X  G  A.  A  sequent  is  valid  iff  it  is  valid  at  all  points. 
Following  [25],  we  use  lower  case  letters  for  truth  values,  and  upper  case  letters  for 
formulas. 

We  begin  by  reviewing  the  axioms  and  rules  for  propositional  and  temporal  reason¬ 
ing.  All  the  rules  are  given  in  [25].  We  introduce  some  additional  axioms  for  negation 
and  the  temporal  operators. 
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Basic  Axioms  and  Rules: 


A  ^  X 

r  ^  A 

rur'  Au  A' 


(thinning) 


r^A,x  r,x 
r  ^  A 


z\ 

—  (cut) 


Ad  B,B  D  C  ^  Ad  C 

Truth  Value  Axioms  and  Rules: 

r,t  D  A  ^  A,t  D  B  (\ft  gT) 

—  - ^ ^ - -(t  D) 

r^A,ADB 

r,BDt—fA,ADt  NtGT) 

—  - ^ ^ - -iD  t) 

r^A,ADB 

if  a  <b 
if  a 

^  T  D  p,p  D  1.  (for  all  atomic  propositions  p) 

The  last  axiom  ensures  that  LTL  formulas  are  either  true  or  false.  The  middle  value 
arises  only  due  to  the  inference  predicate. 


aD  b 
a  D  b  ^ 


Proposition  6.  The  following  are  provable: 

^AdT 
^  DdA 
^AdA 


Proof.  We  prove  the  first  claim: 


^tDT 
t  D  A  ^  t  D  T 


(thinning) 
(t  D) 


□ 


In  [25]  and  here,  the  proof  of  completeness  makes  crucial  use  of  a  derived  rule: 
Proposition  7  ([25]).  The  following  is  a  derived  rule: 


r,ADt,tAA^A  {Wt  gT) 
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Proof.  [25]  gives  a  proof  of  this  derived  rule  for  any  finite  lattice.  We  use  the  fixed 
lattice  to  give  a  simpler  proof.  We  are  given  that  A  D  T,  T  Z)  A  ^  A.  'Qy  Proposi¬ 
tion  6,  A  D  T .  Using  cut,  we  get  U,  T  D  A  ^  Z\.  We  can  now  derive: 


r,TDA^A 

r  ^  A,T  D?,?  D  A 


(cut) 


T  D  ? 


-(cut) 


r-^  A,i  D  A 

Similarly,  we  can  derive  F  ^  A,  A  D  1  from  F,  A  D  A,  A  D  A  A.  Then,  given 
F,  A  D  1,7  D  A  ^  A,  two  applications  of  cut  gives  us  U  ^  Z\.  □ 

Conjunction  Axioms: 

^  AA  B  A  A 
^  A  A  B  A  B 

C  A  A,C  A  B  ^  C  A  A  A  B 

Negation  Axioms: 

^  A  A 
^  D  A 
AaB—>^BA^A 
— >  a  A  ~<b  (a  =  ~<b) 

^b  A  a  (o-  =  ~'b) 

Implication  Axioms:  We  treat  implication  as  right  associative,  i.e.,  A  A  B  A  C  = 

Aa{Ba  C). 

AAB  A  C  ^  Aa  B  A  C 
AaBaC^AaBaC 

We  now  establish  some  useful  facts  about  implications,  which  are  useful  in  deriving 
properties  of  modalities: 

Proposition  8.  The  following  are  provable: 


AaB^IaAaB 
T  A  Aa  B  ^  Aa  B 
iaAabaaA^iab 
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Proof.  For  the  first  claim: 


tAAZ)  A,  AdB^IAAdB 

AdB^IAAdB 


tAAD  A 

- (cut) 


Now  we  can  derive: 


AdB^IAAdB  tAAZ)B 
Adb^idAdb 


tz)  Ad  B 

- (cut) 


For  the  second  claim,  we  need  the  observation  that  ^  A  D  T  A  A  is  provable: 


AdT,AdA^AdTaA  ^AdT  ^AdA 

- (2  cuts) 

^  2l  D  T  A  A 

A  D  T  A  A,T  A  A  D  B  ^  A  D  B  —>  Ad  T  A  A 
- (cut) 

T  AAd  B  ^  Ad  B 

Now  using  the  axiom  T  dAdB^TAAdB,^  application  of  cut  gives  us 
T  D  Ad  B  ^  Ad  B. 

Finally,  for  the  third  claim,  we  need  the  observation  that  ^  {A  D  B)  A  A  D  B 
is  provable.  By  Proposition  6,  ^  A  D  A,  and  so,  ^  {A  D  B)  D  A  D  B.  Using  the 
implication  axiom  {A  D  B)  D  A  D  B  ^  {A  D  B)  A  A  D  B,  an  application  of  cut 
gives  us  the  desired  result. 


tD  [Ad  B)  A  A,{Ad  B)  A  Ad  B  ^  tD  B  —^{AdB)AAdB 
tD  {A  DB)AA^tDB 


tD  Ad  B,tD  A^tD  {Ad  B)  AA  tD  [Ad  B)  AA—^tD  B 
tD  Ad  B,tD  A^tD  B 


□ 


Temporal  Reasoning: 

aiD  Ai,...,anD  An^bD  B  (n  >  0) 

- (TNecc) 

ai  D  aAi, ...,  a„  D  DA^  ^  b  D  OB 

^oAd  a  AOyl  a 

We  can  now  prove  the  distribution  axiom: 


Proposition  9.  The  following  is  provable: 


□  (A  D  B)  D  DA  D  OB 
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Proof.  By  Proposition  tZ)AZ)B,tZ)A^tZ)B.  Using  TNecc,  we  get  t  D 
0[A  D  B),t  A  OA  ^  f  D  OB.  It  is  easy  to  derive: 

t  D  □(A  D  B)AaA^tDaB 

Using  the  rule  {t  d),  weget^  □(A  D  B)  AUA  D  Di?.  The  desired  result  follows 
using  the  implication  axiom.  □ 

Rules  for  the  Inference  Predicate: 

We  now  introduce  two  rules  for  the  inference  predicate,  analogous  to  the  rules  that 
we  discussed  in  Section  4. 1 .  We  begin  with  a  semantic  characterization. 

Given  a  set  of  regulatory  statements  F  =  {idi.x  :  Ai  Bi,  ...,z(i„.x  :  An  ^ 
Bn},  let  Fpre  =  {Ai,  ...An}  be  the  set  of  preconditions,  Fpost  =  {Bi, ...,  Bn}  be  the 
set  of  postconditions,  and  Fid  =  {idi, ...,  idn}  be  the  set  of  identifiers. 

Given  a  set  of  identifiers  Id,  let  Reg  id  be  the  set  of  subsets  of  regulatory  statements 
F  such  that  Fid  Q  Id.  Given  C  €  L,  let  Reg(^id^c)  be  the  sets  F  C  Reg. Id  such  that 
A  Rpost  D  G  is  valid.  Given  a  point  {R,  i)  and  a  fixed  point  (a,  a')\ 

Abyid(G),  z)  =  l-G  C  Reg(^Id^C'^ 

In  other  words,  byid(G)  is  true  iff  there  is  a  set  of  laws  {F  with  Fid  Q  Id)  such 
that  (a)  C  can  be  inferred  from  the  postconditions,  and  (b)  the  preconditons  are  true. 
Similarly,  byid(G)  is  false  iff  for  all  appropriate  sets  of  laws  such  that  C  can  be  inferred 
from  the  postconditions,  one  of  the  preconditions  is  false. 

To  axiomatize  byid(G),  we  need  to  reason  about  provability  in  the  language  L 
(propositional  LTL).  We  say  that  a  sequent  in  the  language  L  is  provable  (denoted 
F  A)  iff  it  is  provable  using  the  axioms  and  rules  introduced  previously.  As  we 
discussed  in  Section  4.1,  we  will  need  to  use  the  negation  of  provability  in  the  premise 
of  a  rule.  The  rules  are  as  follows: 


F  =  {zdi.x 


Ai  Bi,  ...,idn.x  :  An  Bn}  C  Reg,  Fid  A  Id 
Bi  A  ...  A  Bn  A  C 
t  D  Ai,  ...,tZ)  An^tD  byid(G) 


(RByl) 


For  all  F  =  {idi.:s.  :  Ai  i?i, ...,  Z(i„.x  :  An'^  Bn} Reg, Fid 'll  Id 
If  Bi  A  ...  A  Bn  A  CthenF  ^  Ai  D  t,...,An  D  t 
r  byid(G)  D  t 


(RBy2) 


Informally,  RByl  says  that  byid(G)  is  true,  if  there  exists  F  €  Reg(id,c)  such  that 
the  preconditions  are  true.  RBy2  says  that  byid(G)  is  false,  if  one  of  the  preconditions 
is  false  (for  all  F  G  Regi^id^c))-  lu  particular,  if  A  ...  A  Bn  D  G  is  not  provable 

for  all  appropriate  subsets,  then  — >  byid(G)  D  -L,  as  the  premise  of  RBy2  is  vacuously 
satisfied. 

We  now  develop  some  notation  that  is  useful  in  several  subsequent  proofs.  Given 
C  G  L,  let  F(^id,c)  be  the  set  of  subsets  {F  C  Reg  with  Fid  ^  Id)  such  that  F  G  F 
iff  A  Bpost  D  G.  Let  A(id^c){l)  be  the  set  such  that  t  D  A  Fpre  G  A(id^c){t)  iff 
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F  e  F(id,c)-  Finally,  let  be  the  set  such  that  f\Fpre  O  t  S  iff 

F  e  F(id,c)- 

Proposition  10.  The  following  are  provable: 

F(id,c){t)  byid(C')  D  t 
t  O  byid(C')  ^  Z\(/d_C')(f) 


Proof.  The  first  claim  is  immediate  from  RBy2.  For  the  second  claim,  we  show  the 
proof  for  f  =  T.  By  propositional  reasoning,  the  following  is  provable; 

^TdA,Ad7  (VAeL+) 

From  the  first  claim,  Fc{7)  byid(C)  D  ?,  and  it  follows  that: 

TDbyid(C'),rc(?)^ 

For  each  ^  D  ?  =  AT  such  that  X  €  rc{7),  we  have  ^  T  D  A,  X.  Using  cut,  we  get: 

TDbyid(C),rc(?)-{X}^TDA 
Since  Fcfl)  is  finite,  repeated  applications  of  cut  will  give  us: 

T  D  byid(C)  ^  Zlc(T) 

□ 

We  can  show  that  the  inference  predicate  behaves  like  a  modality,  by  deriving  a 
weaker  version  of  the  necessitation  rule:^ 

Proposition  11.  The  following  is  a  derived  rule: 

_ Di  A  ...  AUl„  D  C _ 

^  byid(U)i)  A  ...  A  byid(U)„)  D  byidCC) 


Proof  By  Proposition  10,  t  D  byid(F?i)  ^  Z\(/d  £).)(f)  is  provable  for  1  <i  <n.  We 
construct  Z\  such  that  for  each  t  D  Ai  €  we  have  f  D  Ai  A  ...  A  An  €  A. 

By  propositional  reasoning,  it  follows  that: 

t  3  byid(U>i),  ...,f  D  byid(F>„)  ^  A 

Observe  that  each  X  G  A  is  associated  with  a  set  of  regulatory  statements  F, 
such  that  Fid  C  Id  and  AFpost  A  Di  for  all  1  <  i  <  n.  Using  the  fact  that 

'  The  stronger  version  of  the  necessitation  rule  (schematically  equivalent  to  TNecc)  can  be  de¬ 
rived  by  making  use  of  the  two  valued  restriction  of  LTL.  However,  we  have  not  found  an 
appropriate  generalization  for  a  many-valued  logic. 
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Di  A  ...  A  Dn  D  C,  it  is  easy  to  show  that  A  Ppost  D  C.  Then  RByl  gives  us 
X  ^  t  D  byid(C')  for  all  X  €  A.  Repeated  applications  of  cut  will  give  us: 

t  A  hjid{Di),...,t  A  byid(£)„)  ^tA  byid(C') 

The  desired  result  follows  using  propositional  reasoning.  The  distribution  axiom,  i.e., 
^  byid(^  A  B)  A  byid(^)  D  byid(i3)  follows  easily  using  this  derived  rule,  and  the 
fact  that  -^L  {A  A  B)  A  A  A  B.  □ 

4.4  Completeness 

We  now  discuss  the  soundness  and  completeness  of  the  type  system.  Soundness,  as 
usual,  is  straightforward,  and  we  leave  the  details  to  the  reader.  We  begin  by  showing 
completeness  for  the  atemporal  fragment.  From  the  perspective  of  a  temporal  operator, 
a  formula  byid(C)  is  simply  an  atomic  proposition  which  can  have  the  middle  value. 
We  use  the  pre-model  construction  in  [27]  to  generalize  the  proof  to  a  temporal  setting. 

Given  an  implication  X,  let  sub{X)  be  the  set  of  subformulas  of  U  Reg  and  their 
negations.  Note  that  the  subformulas  of  Reg  are  the  subformulas  of  the  preconditions 
and  postconditions.  ^^A  is  identified  with  A.  Given  sub{X),  we  construct  the  set  of 
implications  cl{X)  such  that  for  all  A  C  sub{X)  and  t  G  T  {A  A  t,t  A  A}  C  cl{X). 

Definition  13.  Given  F  C  cl{X)  andY  G  cl{X): 

-  r  is  Y -consistent  ijf  F  ^  Y  is  not  provable.  F  is  Y -inconsistent  ijf  F  Y  is 
provable. 

-  F  is  maximal  Y -consistent  ijf  F  is  Y -consistent  and  for  all  Z  G  cl{X)  —  F,  TU{Z} 
is  Y -inconsistent 

Theorem  2  ([25]).  Given  F  C  cl{X)  and  Y  G  cl{X)  such  that  F  is  maximal  Y- 
consistent,  for  all  A  G  cl{X),  there  is  exactly  one  t  G  T  such  that  {t  A  A,  A  A  t}  C  F 

Proof.  We  first  show  that  for  each  A  G  cl{X)  there  is  at  most  one  truth  value  with  the 
requisite  properties.  Suppose  not.  The  we  have  two  truth  values  such  that  {ti  A  A,  A  A 
fi}  C  F  and  {t2  A  A,  A  A  ^2}  ^  R-  It  is  easy  to  derive  that  F  ti  A  and 
F  ^  t2  A  ti.  Since  ti  f  t2,  either  G  -f.  t2  or  t2  ^  fi.  So,  by  the  truth  value  axioms 
we  have  either  ti  A  t2  ^  or  t2  A  ti  In  either  case,  using  cut,  T  — >  is  provable,  and 
by  thinning,  F  ^  Y  is  provable.  This  contradicts  the  F-consistency  of  F. 

Now  we  show  that  there  is  at  least  one  truth  value  with  the  requisite  properties. 
Suppose  not.  Since  F  is  maximal,  we  have: 

F,Aa  t,tA  A^Y  {'it  gT) 

By  Proposition  7,  it  follows  that  F  ^  Y,  contradicting  the  Y -consistency  of  F.  □ 

Lemma  4.  Given  F  C  cl{X)  andY  G  cl{X)  such  that  F  is  maximal  Y -consistent  and 
byid(C')  G  d{X): 

t  A  byid(C')  G  F  iff  there  exists  F  G  F[id,C)  such  that  for  all  A  G  Fpre,  t  A  A  G  F 
byid(C')  A  t  G  F  ijf  for  all  F  G  F(id,C)<  there  exists  A  G  Fpre  and  A  A  t  G  F. 
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For  each  part,  one  direction  follows  directly  from  the  inference  rules,  and  the  other 
direction  follows  directly  from  Proposition  10. 

Given  a  maximal  X-consistent  set  F,  we  construct  a  state  s r  such  that  for  all  atomic 
propositions  p,  p  G  sr  iff  {T  D  p,p  D  T}  C  F.  We  also  construct  sets  ar  and  a'p 
such  that  for  each  id.x  :  A B  €  Reg: 

-  id:B  e  ar  iff  {T  D  A,  A  dT}CF 

-  id:B  e  a'p  iff  id;  B  &  ar  or  {I  Z)  A,  A  D?}  C  F 

The  completeness  proof  is  finished  in  the  usual  way.  sr  is  extended  into  a  run  R 
with  a  single  state.  A  single  state  suffices  for  the  atemporalcase.  {ar,  a'p)  areextended 
to  annotation  functions  (a,  a').  It  is  easy  to  show  that  val(Q,_Q/)(A,  R,i)  =  t  iff  t  is  the 
unique  value  such  that  {A  t,t  Z)  A]  C  F.  Using  Lemma  4  and  the  construction 
of  annotation  functions,  we  can  argue  that  the  annotations  correspond  to  a  fixed  point. 
Thus  if  ^  X  is  not  provable,  we  can  create  a  maximal  T  3  X-consistent  set  F,  which 
is  extended  to  a  run  and  fixed  point  such  that  X  is  not  true. 

Now,  we  consider  the  temporal  case.  Given  X  G  L+  and  a  body  of  regulation, 
let  Mx  be  the  set  of  all  maximal  consistent  sets,  i.e.,  F  G  Mx  iff  F  is  maximal  Y- 
consistent  for  some  Y  G  cl{X).  We  construct  the  relation  Sx  Q  M  x  M  such  that 

{F,  F')  G  6x  iff  for  all  temporal  formulas  OA  G  sub{X),  if  f  D  OA  G  F,  then  {t  D 

A,t  D  OA}  C  F'.  Intuitively,  the  graph  of  maximal  consistent  sets  Gx  =  {Mx,  bx) 
encodes  a  set  or  runs.  The  global  formulas  (t  D  DA)  get  the  right  interpretation,  but  not 
so  for  eventual  formulas  (OA  D  t).  We  will  be  interested  in  the  set  of  paths  which  are 
fulfilling  [27]: 

Definition  14.  Given  X  G  L'^  and  Gx  =  {Mx,Sx),  a  path  in  Gx  is  an  infinite 
sequence  of  states  px  '■  N  Mx,  such  that  for  all  i  G  N,  {r{i),r{i  +  1))  G  Sx-  A 
path  Px  is  said  to  be  fulfilling  iff  for  all  temporal  formulas  OA  G  sub{X)  and  for  all 
i  G  N,  ifOA  D  f  G  r{i),  then  there  exists  j  >  i  such  that  A  D  t  €  r{j). 

We  now  prove  the  existence  of  fulfilling  paths: 

Lemma  5.  Given  X  G  L+  and  Gx  =  {Mx,  6x),  for  all  F  G  Mx,  LA  D  t  G  F  iff 
there  exists  a  finite  path  {Fq,  Fn)  such  that  Fq  =  F,forallO  <  i  <  n,  (Uj,  Ui+i)  G  S 
and  A  Z)  t  G  Fn. 

Proof.  Suppose  DA  D  t  G  F,  and  no  appropriate  finite  sequence  exists.  Let  Tr  C  Mx 
be  the  smallest  set  such  that  (a)  F  G  Tr,  and  (b)  if  Fi  G  Tr  and  (Ajllz)  G  6x, 
then  F2  G  Tr-  In  other  words,  Tr  is  the  set  of  states  reachable  from  F.  Observe  that 
for  all  F'  G  Tr,  A  ZZ  t  ^  F' .  Since  the  sets  in  Tr  are  maximal,  there  exists  some 
t'  f.  t,  such  that  for  all  L'  G  Tr,  f  ZZ  A  G  F'.  Consider  the  set  of  implications 
{ti  D  nAi, ...,  tn  Z)  nAn}  C  F.  We  claim  that: 

h  Z  DAi,  ...,  tn  Z  □A„,  hZ  Ai,  ...,  tnZ  An^t'  Z  A 

For  if  not,  we  can  construct  a  maximal  t'  Z  A-consistent  set  F"  such  that  F"  G  Tr- 
But,  this  contradicts  the  fact  that  t'  Z  A  G  F'  for  all  F'  G  Tr-  Assuming  that  the 
sequent  above  is  provable,  using  TNecc,  we  get: 

ti  z  aaAi,...,tn  z  □□A„,fi  d  □Ai,...,f„  d  □A„ 


t'  z  DA 
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Using  the  fact  that  ^  OA  D  we  can  derive  that: 

h  D  aAi, tn  D  A  nA 

Since  all  items  on  the  left  are  in  U,  A  □  A  C  F.  However,  t'  and  UA  A  t  G  F, 
from  which  we  can  contradict  the  fact  that  F  is  consistent.  As  a  result,  there  exists 
F'  C  Tr  such  that  A  A  t  €  F' .  Since  Mx  is  finite,  there  exists  a  finite  path  from  F  to 
F'. 

For  the  other  direction,  suppose  we  are  given  a  finite  path  (/q,  Fn)  such  that 
A  A  t  €  Fn.  We  need  to  show  that  OA  A  t  €  Fq.  The  proof  proceeds  by  induction 
on  n.  For  n  =  0,  we  have  Fq  ^  A  A  t.  Since  ^  OA  A  A,  we  can  derive  that 
Fq  OA  A  t.  For  n  =  1,  we  have  Fi  ^  A  A  t.  Suppose  DA  A  t  ^  Fg,  we  have 
Fq  ^  t'  A  DA  for  some  t'  ^  t.  So,  Fi  ^  t'  A  A  contradicting  the  consistency  of 
Fi.  For  the  inductive  set,  since  Fn  ^  A  A  t,  we  have  Fi  ^  DA  A  t  (by  induction 
hypothesis).  Again,  suppose  DA  A  t  ^  Fq,  we  have  Fq  ^  t'  A  DA  for  some  t'  ^  t. 
So,  Fi  ^  t'  A  DA  contradicting  the  consistency  of  Ui.  □ 

Completeness  is  established  analogously  to  the  atemporal  setting.  Given  X  S  L+ 
such  that  ^  AT  is  not  provable,  we  construct  Gx  =  {Mx,  Sx)-  Observe  that  there  exists 
F  G  Mx  such  that  U  is  T  D  A'-consistent.  Using  Lemma  5,  construct  a  fulfilling  path 
px  '■  N  Mx  such  that  px  (0)  =  F.  The  path  is  extend  to  a  run  R  with  fixed  point 
annotations  (a,  a'),  as  discussed  earlier.  It  is  easy  to  show  that  val(Q,  „/)  (A,  R,i)  =  t  iff 
t  is  the  unique  value  such  that  {A  A  t,t  A  A}  C  U.  As  a  result,  val(Q  Q,/)(Ar,  R,  0)  ^ 
T,  and  X  is  not  valid.  We  obtain  the  following: 

Theorem  3.  Given  a  body  of  regulation  Reg,  for  all  implications  X  G  L'^: 

X  is  provable  iff  X  is  valid 

4.5  Example  Derivations 

We  discuss  two  examples.  The  first  example  will  be  used  to  clarify  our  definition  of 
conformance,  and  the  second  to  show  a  prototype  for  the  middle  value. 

Example  1:  Consider  the  propositionalized  version  of  our  regulatory  sentences: 

-  l.o:  d  A  -'by{2}(^Otesf)  ^  Otest 

-  2.p:  sp  ^'O'test 

The  following  is  provable: 


^  d  A  -<sp  A  by{i}(Ofesf) 

Since  T  D  ^Otest  is  satisfiable,  T  D  Otest  is  not  provable.  By  Proposition  6,  we 
have  ^  -^Otest  A  ^Otest.  By  Proposition  10,  we  get: 

sp  A  t  ^  by|2}(^Ofesf)  D  t  (*) 

Since  Otest  A  Otest,  it  follows  from  RByl  that: 


t  A  dA  ^by|2}(^Ofesf)  t  A  by{i}(Ofesf)  (**) 
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The  result  follows  easily  from  propositional  reasoning.  From  (=i<),  using  (d  t),  we  get 
^  by|2}(^^tesf)  D  sp.  Using  the  negation  axiom,  we  get: 

^  -^sp  D  -iby{2}(“'^fesf) 

By  Propositon  8,  we  have  AZ)  B  ^  t  AZ)  B  and  tZ)ADB,tAA^tDB. 
We  can  derive  that: 


t  D  ^sp  ^  t  Z)  -'by|2}(^Ofesf)  (*  *) 

Now  using  (**),  we  can  derive  t  D  d,t  ^  “'by{2}(“'^tesf)  ^  t  D  by|i}(Ofesf). 
Using  (*  *  *),  an  application  of  cut  gives  us: 

t  D  d,t  ^  ~'sp  by|i}(Ofesf) 

It  is  easy  to  show  that  t  D  {d  A  sp)  ^  t  Z)  d  and  t  Z)  {d  A  ^sp)  ^  t  Z)  ^sp.  Two 
applications  of  cut  gives  \xst  Z  d  A  ^sp  ^  t  Z  by{i}(Ofesf).  Now  applying  (f  d): 

^  d  A  -<sp  Z  by{i}(Otesf) 

What  does  this  tell  us  about  conformance?  Intuitively,  regulations  tell  us  nothing  about 
what  actually  holds.  Given  the  regulation  above,  ^  d  A  ^sp  Z  Otest  is  not  provable. 
Conformance  is  a  separate  notion  of  inference,  i.e.,  what  is  required  is  true.  Given 
a  body  of  regulation  let  Ido  be  the  identifiers  of  the  obligations.  The  actual  state  of 
affairs  can  be  given  by  a  run,  or  described  declaratively  by  a  set  of  LTL  formulas  B. 
The  idea  is  that  B  conforms  to  the  regulation  iff  for  all  implications  X  €  L  such  that 
B  ^  T  Z  byido(^),  we  have  B  ^  X. 

Example  2:  The  following  regulation  gives  us  a  prototype  for  the  middle  value: 

-  l.o:  ^by|i}(p)  p 

This  obligation  requires  p  when  it  doesn’t  require  p  and  is  always  ungrounded.  The 
following  are  provable: 

^  by{i}(p)  D  ? 

Z  by{i}(p) 

Using  RByl,  RBy2  and  Proposition  10,  it  is  easy  to  show  that  ^  byji}  (p)  D  “'by{i}  (p) 
and  “'by{i}(p)  D  by{i}(p).  By  propositional  reasoning,  it  is  easy  to  show  that 
A  z  ^A,  ^A  z  A  ^  Az  and  A  z  ^A,  ^A  z  A  ^  1  z  A.  The  provability  of  the 
claims  follows  easily. 


5  Conclusions  and  Future  Work 

We  have  motivated  and  described  a  logic  (RefL)  that  accomodates  references  between 
laws.  RefL  separates  two  uses  of  statements  -  drawing  inferences  from  regulation,  and 
determining  facts  about  an  organization.  We  believe  that  this  separation  is  crucial  to  the 
application  of  conformance  checking. 
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The  inference  predicate  blends  two  ideas  from  logic  programming.  First,  the  Kripke- 
Kleene-Fitting  semantics  [28],  which  uses  three  values  for  negation  in  logic  programs. 
In  RefL,  we  place  the  burden  on  a  predicate,  rather  than  on  negation.  The  advantage  is 
that  connectives  can  behave  as  they  do  in  a  many  valued  logic.  Second,  contextual  logic 
programs  [29]  use  operations  to  restrict  the  context  from  which  inferences  are  derived. 
Referring  to  specific  laws  (via  identifiers)  gives  us  a  fine-grained  control  of  context. 

RefL  provides  a  staring  point  in  bringing  the  advantages  of  non-monotonic  reason¬ 
ing  to  systems  such  as  [3,5].  [3]  represents  business  contracts  as  SQL  queries,  and  [5] 
uses  first-order  logic  augmented  with  real  time  operators.  The  inference  predicate  can 
be  added  to  these  systems,  provided  that  the  existential  quantification  is  relativized  to  ei¬ 
ther  the  preconditions  or  the  postconditions.  However,  restrictions  are  needed  to  ensure 
that  the  satisfiability  tests  remain  decidable.  [4]  discusses  the  importance  of  anlayzing 
references,  but  do  not  provide  a  formalization. 

In  this  work,  we  have  considered  references  to  laws  that  appear  in  preconditions. 
There  is  also  the  need  for  references  in  postconditions.  An  obvious  case  is  for  laws 
that  cancel  obligations  and  permissions  given  by  another,  e.g.,  if  a  donation  is  not  used 
for  transfusion,  exemption  (3)  no  longer  applies.  A  more  speculative  case  can  be  made 
for  iterated  deontic  constructs  [18],  e.g.,  “required  to  allow  x”.  We  suggest  that  the 
semantics  will  involve  representing  agents  who  introduce  laws  that  reason  about  each 
other,  e.g..  You  are  required  to  (introduce  laws  that)  allow  a  patient  to  see  his  records. 

On  the  computational  side,  our  goal  is  to  be  able  to  scale  up  to  runs  with  a  large 
number  of  objects,  and  incorporate  RefL  into  a  runtime  checking  framework  for  LTL. 
In  a  companion  paper  [30],  we  identify  a  fragment  of  RefL  motivated  by  a  case  study 
of  the  FDA  CFR.  The  fragment  assumes  that  byid(v3)  can  be  evaluated  by  using  at  most 
one  of  the  laws  referred  to.  This  assumption  allows  us  to  replace  satisfiability  tests  with 
tests  of  lower  complexity,  and  lets  us  scale  up  to  runs  with  a  large  number  of  objects.  In 
this  paper,  we  have  focussed  on  formally  characterizing  the  semantics  and  complexity 
of  RefL,  and  in  [30],  we  focus  on  optimizations  that  are  needed  in  practice. 
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